From patchwork Tue Jan 23 00:27:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526677 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2747C46CD2 for ; Tue, 23 Jan 2024 00:36:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 456408D0002; Mon, 22 Jan 2024 19:36:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3DEF98D0001; Mon, 22 Jan 2024 19:36:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 27FA28D0002; Mon, 22 Jan 2024 19:36:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 153FA8D0001 for ; Mon, 22 Jan 2024 19:36:21 -0500 (EST) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id B3D1C12099E for ; Tue, 23 Jan 2024 00:36:20 +0000 (UTC) X-FDA: 81708709320.22.41502DF Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by imf21.hostedemail.com (Postfix) with ESMTP id C13371C000B for ; Tue, 23 Jan 2024 00:36:18 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=hhbUuuFd; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf21.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705970178; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=; b=1wE4ALxowoE2z7ZxnbtHYuhvuVpVDBBNHX/h9K6WQ2F7ZImYfu+fTJNdj3ZDxmg9tcaEYo q1R30CCTQBSIbKLdFOcTcLl5Sa22NGCTyJhO9DWuUUK+k3ngwZE81G/n8+LQuQ0tf2jI1K HzfBj/E1/3Bgh+/MiY3AtUALMdp2/hI= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=hhbUuuFd; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf21.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.182 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705970178; a=rsa-sha256; cv=none; b=4CHfF01ru5bB5JO4z3zae8cZnY5C/VhetxDR5HsO5JtZVKD+RpMFZqMAIHdljfJA/5lE6p MYMPcyjcXLbuzuP2vIi7ui8jAr7sK8YLZShKzQy1TM+MaETS1tWFE0lCnnQusRcVyQYUnV MFyfIroQYFvQODUyRwDwel0neC2rd4Q= Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1d748d43186so10836655ad.0 for ; Mon, 22 Jan 2024 16:36:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705970177; x=1706574977; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=; b=hhbUuuFdT5SOmbXqzLzS8kCBHxf1HCyzkpNYPgp0lGx2wdbk67sWX+1addwgW2c1dj y8tIgMUSuA0uYKwdmU1DtIVIw8eMP/olj3CPAU7MLN70f6oKGb6E/k1is5KBF3Vnwpbw pdn1ynSwnOZ9Gvv09uiF5Kespp4Fjy1B1Ztxk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705970177; x=1706574977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0NeuRUk433ZNKdRiqKX8mhaA8jznwDCQBGOUrYcR3Zw=; b=teK1aWQKwUY1wu0og+7R7iw4dnBuK7bK4JGPm7S7Yq1vvICyMoDx+K3PGzfGaV1aV8 ayuHOtZ/sV8VGAI6w5q+lmYxfllyc5mXGR/Sqkc6Y1X1opMfjMo/8A8YNT0Nsw4lfJpX HVIqIK+aF0wkHiMujLYeTAKiKp9wmfjQ/uFwUaGbecCc2Az7O3Bda5KTincaBzw4WT6f cYxV3wQ+qFPc944eIsTuS3eSMh7hAsZ8ZhIL/qWG7Ycy3cDn6LMK8TPAccNbJxgEAfqb JPd209sdQNfkJi9nxUVYm7G/vj3RRh57CEyVx7O70o68nrGxmIyEWh+CUrnISIC912qQ JMOA== X-Gm-Message-State: AOJu0YxemL7pne7qyG0zR7q5Eqmw1nLAiE7zBHu1dJ8b/+DpeeCaKBUX NQ8FlOlyNeu4OlC/+qLAU3uYwibUDisVEQqXPTGjpvQDjA3DXNlVW6y9BIW+1N/ByB2c5mEC+II = X-Google-Smtp-Source: AGHT+IGzeIhLGStyUXkk+prqRHH7Hh0fJDcXpjpuBSpJSnr3lUskSGrUG6ndGqpvhP7k6BsWTy450Q== X-Received: by 2002:a17:902:e882:b0:1d7:600c:cc33 with SMTP id w2-20020a170902e88200b001d7600ccc33mr1403863plg.3.1705970177668; Mon, 22 Jan 2024 16:36:17 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id ky11-20020a170902f98b00b001d76ced199esm143464plb.31.2024.01.22.16.36.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:36:10 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , Andrew Morton , Uladzislau Rezki , Christoph Hellwig , Lorenzo Stoakes , linux-mm@kvack.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: [PATCH 33/82] mm/vmalloc: Refactor intentional wrap-around calculation Date: Mon, 22 Jan 2024 16:27:08 -0800 Message-Id: <20240123002814.1396804-33-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2352; i=keescook@chromium.org; h=from:subject; bh=38q5dA08W/MDhiiAfLHBMjgxLmUPPANEZSbZB460/eg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgHVlKrqE6Nde4ZbwV5OP6txkBJRZom0feq8 p5yVXsvnAKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IBwAKCRCJcvTf3G3A JmDjD/45jgwtrPqGoB+jlF1mDgiUg9Ze61xsHyqXZi5GyOp0rRLZfu6w2qW/aeqxQOzjPHho3hN L2/snj7oP3CEPVZ0AsZx5pNEw4AdCtJLMAqBMw8/yxliXAWWX8mdo3JSCpQSuGT0wNY3HEJ6m3l 767XUkSfXo0VMs7+zd9DD+QTPMbV8GiSHrIfuaQMWoFDTr2PGGuOkEJfKLkVm8xcx68Q3gXonHh HOulIEvVuQ1wZ/971AY053i6TtPwkVQwttgTrT2I7qKM1rpF4801pZ6otFPevs/V20afhyDicxd MYf8bStbkOH8rXCaMRPbidxMQjMXvYBiFsbP+mWpuT0JkM6pBI2LDqDlh8wSwQZgl8lebVhoHsE XK0CCEBLvbN+lIUob2oN9JnImaQHOqI3vVnVdhxbYb1UfWeyb+9l7M52MDTY2cu+v7FIrIQxQaT Fp3QVNpjmkPKha2+jQyIAdAzfh6eFs21bZ92fq1gfnflXD1g5DYntbs9alZUEupfryc0jVwHArb 5cG743scfNC8Ph2+PXR6mQ/CI27ccqmUA2og/teJ1KqdKi31qS5E4P+XgGkowzLSabVuBBnq6t5 T8sabUmzoJL8AOtQMe0b06WPwGDOieCgh/OR6kZEHeys+Dj/7McgMk4ZPYPsu1HFh7LgL0n/nRL JTk2zIhWKJNoPYA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: C13371C000B X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: u37e833w13ifmppxjoa4e7gzt635p63f X-HE-Tag: 1705970178-258571 X-HE-Meta: U2FsdGVkX1/GC9MEZPVk8nlvaWJspxSBnqzQWm0X6S+9MOw7lcGPuzjcS/piGEM0jw3jfacbvjd9PHkGgDZ5s01XyH5tKjL/xd/RTufCMESC/tqKCX/D8dPMd5Whlyg66zeMcigeUoUKd7o2nOMuYQLQOzaLHUlZrRKoHIxtgYRHwn3gY/5yIOSFJVM7/KNCoUxIIRqQC1TRMQq2eC3jC+Ln35KRwR3hDJxfXcofNMlBcD2Q1P9IqhTZbg8z03eRop6zhqkCVwa9f5K5s5qBnb0ZSMlsrsIJx0Zm890DLT0NJzIBdQAvTP+6cl68BOQD9rwF7HM5QHz+cULvJ3Q+xJ5i1mCRnf5vEIBVEMD7swv+EYNBPsHdgzQhIiar5wZo7WisUu//+P2/XP8kTNFwarLbJuys50qAP0RhQ0MXua7z0mvJoZ8Tg4mPFgdU0K/uriAI0RDpvNpucV++IfR0SWi++dGSU4rn9LFKDUg6kzrp8tEnrTqV6AJwEqKnaPKCLV3EJzKqyNSNvrOEEztdSLgm1Yup1uBsNL02wusexCocS9Yphd6R79kROrhO+0uWps8yeepmAGKy5TyQ3bLHAJVtMTYMcQHMb/ezcLQBUzh4clYDnPlRNSx6G+OJfcI6iz4erWRZmOoplwEbl7FV2p/dz6u1ScQSaM+3LqIGaFNzPvcQ2zKw4+2Mtu6Ik3AjtxO/C9di0p9RXD3Cd+j4ZADQ4iduYhCgoG9uIx4W7in2fT+nJMdUnTJvQKlr59dxh0peZg4/tngQgYvDZuyFRI2KOCbjZ7rPQND4l8r5J5SVm5+s9UPWalQ5snFf5xB/PEgu2XH476THQ+ZB8mosFTr2z9yHYWFaQVk1mZ6bBtoIDTBRxtUHePY0kcDSYqOI98A0wCuUvhM3vclSAhgTfG0YRaCBCZlYRA5PHgw7rER6fzCvykGpvdatKAbU6KERciJKwTCe4oWqVPb2NFv +UELtefZ pEX8uy4wVbnoilhmCW6pqOUungRyzXTUnISIVccMJjDAcOPkUcZoUqZRgAPqhpnShDh4FV7BHdPKdcnWzyoS0l+57R4scw4q/qmnTlWfvrybw29/ubhLJe0iB27nncSqsU6YQv9zkvWLWo9/R+7be3dpC3IslKZWmGN8miuXUGHwQoj2gc2VijKVHhLZNzQ8h4zYnL6aisJcBQNx0tMrxkgVEDszqKDn+Nsd7kK3TDQ2rDw33bYUrqmlcD7kdD94zUlwPbT9ai/vbd1HuVcidQQUEQ7t19dqPbk/r7pU6FOQeBOWQgs5EmaD9sgud6tytbsmMMCtcAPKzMN2sl8rKPsIuDN7h7oq+tqa4D5u10imkvS/NygfNwPY/unZ0LAZhTdjz9vET/dDlu3RY44HCsEQuB1ddVnzoRqUgdDE/iXnGUQOkVNMSPvW80yjFe3MP5G3XNCfVAMzb8DTmFl2U/zd9ch99YDxUuCC6htL7XAAifToNgt58kXCHCndqVwdPlL1T5qnVl6nr6Qdw7kHfgs1Ea06rMfpBtO34yQxbJDbqMyTUjlbn/3uIOqHUO9Cc7vMUe2owNV18dZCreagGIRnK9BhSDDfvpzn6KPsyuaWoLnhH6Uqmg/PGYQxLfTKtfL1pjICo27J/PFQyO2IUbr5DQJXO2/uz8V6PvbDcrJul9TbbDhhYvYyZuw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded unsigned wrap-around addition test to use check_add_overflow(), retaining the result for later usage (which removes the redundant open-coded addition). This paves the way to enabling the unsigned wrap-around sanitizer[2] in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Andrew Morton Cc: Uladzislau Rezki Cc: Christoph Hellwig Cc: Lorenzo Stoakes Cc: linux-mm@kvack.org Signed-off-by: Kees Cook Reviewed-by: Lorenzo Stoakes --- mm/vmalloc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index d12a17fc0c17..7932ac99e9d3 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -1223,6 +1223,7 @@ is_within_this_va(struct vmap_area *va, unsigned long size, unsigned long align, unsigned long vstart) { unsigned long nva_start_addr; + unsigned long sum; if (va->va_start > vstart) nva_start_addr = ALIGN(va->va_start, align); @@ -1230,11 +1231,11 @@ is_within_this_va(struct vmap_area *va, unsigned long size, nva_start_addr = ALIGN(vstart, align); /* Can be overflowed due to big size or alignment. */ - if (nva_start_addr + size < nva_start_addr || + if (check_add_overflow(nva_start_addr, size, &sum) || nva_start_addr < vstart) return false; - return (nva_start_addr + size <= va->va_end); + return (sum <= va->va_end); } /* From patchwork Tue Jan 23 00:27:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526628 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82647C47DDF for ; Tue, 23 Jan 2024 00:29:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 030C66B007E; Mon, 22 Jan 2024 19:29:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EFB856B0081; Mon, 22 Jan 2024 19:29:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D9C826B0082; Mon, 22 Jan 2024 19:29:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C7B416B007E for ; Mon, 22 Jan 2024 19:29:18 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7E9B216067B for ; Tue, 23 Jan 2024 00:29:18 +0000 (UTC) X-FDA: 81708691596.21.CF998E4 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by imf18.hostedemail.com (Postfix) with ESMTP id 88BE21C0004 for ; Tue, 23 Jan 2024 00:29:15 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Tgij7o5+; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.171 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705969755; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=; b=nKbYkePqoJLoq4FPwObF+komvRlScUqDMDJeGNl8E0zdVu1ZNvD5o9bgEWTEKa8TTfk6zx 8Ta+0lUmghFPsEOnPNamOQNDxaRg7zc0QQLD/SONI8x4nPbCr/L00XskdjU88qsZO17q5U 9jSRv8jcNCL0Nx2sX4jh/OyyPqSchVE= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Tgij7o5+; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.171 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705969755; a=rsa-sha256; cv=none; b=vRpxnALKDT3n6fxSFmL/Th1aJZUiveGQrlISNeJ8gDtqxdkmEe90+c6EIEJ9fVizxcdPDt 1S8B7vc43t8R05nBkZ1wjZUG43UWlMpo+Yp5enllckT2F+aupbBzi9/Vjl4sm1cBOka+ng 7/YxKdZ1BF+DNu4G4RSzzuIJYsXVAzI= Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1d75c97ea6aso8724365ad.1 for ; Mon, 22 Jan 2024 16:29:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969754; x=1706574554; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=; b=Tgij7o5+4o3PKTIxuTiuhcyEvluMrMJhVSXP1yiM8kgQlxGESVzSikGfQCT8a7OrKS P3/ennbExpcOou63MRSKMW/p8VGOiS0oaUuu0I0ZskKr2KXciol9nLA7UlDSz35RAO3z bV8LbRKJtqlScVkiODeGFFeHjnsSqujMZogWk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969754; x=1706574554; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tNWz3k2XvGRlF46qJEs9zgm+bcxMnCT9t6UFjEF9Av0=; b=s2u2/qr8v7qbgbflvQeK9VNzEg991aP9i9q/dTpxhVSYru5U3W2ICEe3saVjpenESO h+aJTVJ+pQXb+krbiBQL69E/5BcBSjVXK4Z/QsqmEFBJlJ1sW1BKIM87jqp0Clh2AsIk zf7vBAkLO20lEfWzNnfWnYwZ2RiNCUYoSX9NNcHeIZNVIgS29oYIp9mAAUqUj6/iJb3G RldIwN9RtpHXsWsoAnxy661HZsBkpoatg6Yh3pzXYstiwXeST9RXp7TsNQHdW1IS2aVm 1HuUvgIUWg43RLWX9Dmjm0De0pGYbH2ZL+D/f4ncVpaiSHMYPtDM9/E5wBvhcv3iJKe+ 4HZA== X-Gm-Message-State: AOJu0YxaUkhbfj/jgXFhnzuEwzzdPhme6yegtu1ahm/4x0uXCYXmZ1S+ /MHxeD84cvmB4BhVMoDhUpZVbkVk6JbFf1neRmIM3SWPzrUR/IDygHdFBRsr1w== X-Google-Smtp-Source: AGHT+IGk12zskdqlbqb5d9/uS1ti1uac3FysGuFpOh6Y0g8EhOVnqrhzaYTVMUmTV/zjIhj9HOnRUA== X-Received: by 2002:a17:902:76c8:b0:1d4:52f6:e046 with SMTP id j8-20020a17090276c800b001d452f6e046mr4743580plt.58.1705969754414; Mon, 22 Jan 2024 16:29:14 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id m20-20020a170902f21400b001d74ca3a89asm2622159plc.293.2024.01.22.16.28.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:29:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , kasan-dev@googlegroups.com, linux-mm@kvack.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: [PATCH 55/82] kasan: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:30 -0800 Message-Id: <20240123002814.1396804-55-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2504; i=keescook@chromium.org; h=from:subject; bh=6qOMhh3G8d7Y+vBH+FchTOnAwDno8ofs9WTRkK8e+v0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJb7T0nkCbfHMK37KL55oiDeDfmOiEx7q5q XThjlEKQk+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A JoqqEACE/4PoGFKLHpVkenKHgiwQeIuxCim9QWJGC+MdId7RYwearFTzkOQl8zglCUIZNl7fW9d KYyBu2j590qTJ3ins8G5kTpojs3DwiSG7NIjlDCuYemtfGOEDj4muFXpG5DpNNB/SXKfge3xXDy 5WYmb/fU/J7+bo64TYtiSNKLR2K8Gp8i7ImUFx3yHYAWZufYCVg181wkAjQdVE9QDYyvZ7sGJoD mZvg2FSl8NJ5gNh6/n8lFHjoebiowaqz9rHfRIb9H0ruQMkeqFkKXhx4aTH16qMPf0eWME+Y+7J ogiYkcB141OqPEDQ2iR46G4NeG4lrsoMCZKzlBhmUT7RxPtYuZcvsCqZSAzAa3UF1RWmwdNOHWT QKCM3+s+mU5c7hXehiPzTXpwMMhUbnuW9WVWuFQzVH5K8RvofBCN7bnZZCKdDAoEN9Cc/sKYxEr q/BRzB2azJPyZ7AETk4B2xCLsuXEYrgz4hMVtO0QV6idTMpfIjNn4IgVm1nNoQUli5kyJqdcnf8 gpz7+LeZbIwoIm4heS/k35pUDdcJOIRgPHC9zHqEIgxOE5/Jcu/+iMwplKoCiC7xP29btiDDmns OugXywD0SNhQjOaJt1krhL+j3HJZvwk7kx1o6FV+/GJoBK7sRO3WFjkmaJ8winj+Z4BPzvkMYuJ +inWzkA20S9t7Pg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 88BE21C0004 X-Stat-Signature: rsh1dmmmf8wr633arwabkk8dnap4wnuw X-HE-Tag: 1705969755-528300 X-HE-Meta: U2FsdGVkX18d1HBmzjX4nIUOEupD1JSu+Ke/BjJfCtM+5brzZiNKJPVkLsPiXeideyQ07rUfJwhHQiVUOefpUA0xEUkpBeFbLXzXEgG7j4bF72h8g2ZotMlF6VunEr4QUS/Xh3fsj0Od4Znwe/hICKDz7yNQJJ3tTYDtbki3+AeWGlVhRabg/AZZL0cdku1nm0Smchk2ChxZRZpx1viQ3g2nHQRCkBtPtUC9ph8yOosnjCX6V+uTXDzu7/yAMUBPbZgVdyigQR059RVFsd8Q3QLlC0U3tVTPl3mpHfEeJsOmZpIqz6TOwfg7JkkfRnud6tEdPqTaUctYNpDlljG2Uk1v2u8fRi+VlFAcR2ab6MJT+R1LIabYssGuqRGEueLDwb3TX+dPuibk+6dBTpMEBLgdVZWGoA53dHIacg7zQnkjmKd2FrGxxWkewVeV9KJy7hWNUk3h4iBJ0J8NYoWuL/Qb1OW/su3uLL9EGyWWSf84X1hj8IoRii4R3cJV4KLMtbvEdNoZDvd/ymA5/CvLpPLxVhLGoEhWEcS/sOz1xRFqbfqvtkPeCxrL06NiXmur5LYqwUtnnUscLaVh88edCL7MVAZH2/WvzYJ2/lzLhcuvYbgR2mryJJBnvsW4S1OW8KXb2LphlGojSNo2Vac6baDPFq93Ez1oD+0Hy4PPzYBZcWKD8gRqXu/ehv1+zabVo0pduB1TvNIkgXTfLS8HCauZkVO5viE4j84yobltPnT9jDirpZeK/Mq4LDhsRESC12xNAx9pNu+o4SZSByN4H9jarxQ6f3Nk6cJVM0ebuS7cqG13EBgaNtNcI1UR3f1j2zDXDYWroGEnpNb9Y84mh+LNjL7gVeDcgcMtAgr5ceummI0DCTNUU/YBBzPlmWxpDEeFNxupakNuO8eQrGHMpAquX52GVS2oebSe2HTIVa0nYlJD0GwIHVqPZXg0NZw6GheagDs/JxB3nC4Kx7+ yHVob/N2 t0/NYzSDzrcz9EyOzgbGGA3glmy+Y0JpEF02jrUtAUmJtwtABD3MUrT4608qzUSv+9yq6aBdlgGjsEJvbal6gWwnbRPKaS9P9rxVPTtRixN3dzuysJsd4xI1VlqoP4pqjGTRSYpylppP/6hgxxBgnnmmuABK6gxUQrFCly1j2F/aMtV1lYMtDrk+mWukC4ON1jweJ+8LrH0QQ/NZwjI/YgBig7FONFUpiF22XSmLEKlngIXyQMOLyOcXN3ixsza6LZeGTtyTfx+4ClNyS1OOKIu7UCq11DxJ1vrNnE3MxjrZaeR0irIAGPZIFnGT1QAXM4ISdNtdlXTj8GsmlYs4c5enyaLhmPSxgbN1sdg5JZahD+oiKPsRl2LtQqj9gcBNJMGkjU4NOreQMWriQ2dzgl8Hem5EKjpEIkj846RUmKWbZ3IA+Y4udkZDJevqMdqaA203mKJRFogD+ziqiVpjC4vlTgBg7T+dMhlha/BbBgJgpcuUacFI8RXO6MbVRV4sB05pNx1UUhV6fBsAcJiq7XpNnI6NLQUbGRVnwB6JyGq9f3SoSpvBK7mR4xbBODgV4O/gMqsV816mu2wY/zUPnw6a2MZz8g81st5AoKyPfExbqJa58woZg7EBrdseicu2CBxD9yenGHVyisqdERpY6WoEkoDA5Sr/r+A/Ek7otZWGNtBLS/7VQExaNNbnanXLGYM7t0magTkx879MlU3VWYwNEN5+lJieMWCAFmEva670WnQb1CXhDW5T3O+udm9K+DN5wFQJfqUkOAcvTSmBWi/MynW+5bBtQfUW7Sl31lHD/h1mc7TjB+j+lSaQneqOEjPAgChzabGS949bBSHh2TGuo19Ma+fVjUaENf+Q+eHZC3wHZKQioT8xOZH2bgvmlP62lG30OtAlwOkg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Dmitry Vyukov Cc: Vincenzo Frascino Cc: Andrew Morton Cc: kasan-dev@googlegroups.com Cc: linux-mm@kvack.org Signed-off-by: Kees Cook Acked-by: Andrey Konovalov --- mm/kasan/generic.c | 2 +- mm/kasan/sw_tags.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index df6627f62402..f9bc29ae09bd 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -171,7 +171,7 @@ static __always_inline bool check_region_inline(const void *addr, if (unlikely(size == 0)) return true; - if (unlikely(addr + size < addr)) + if (unlikely(add_would_overflow(addr, size))) return !kasan_report(addr, size, write, ret_ip); if (unlikely(!addr_has_metadata(addr))) diff --git a/mm/kasan/sw_tags.c b/mm/kasan/sw_tags.c index 220b5d4c6876..79a3bbd66c32 100644 --- a/mm/kasan/sw_tags.c +++ b/mm/kasan/sw_tags.c @@ -80,7 +80,7 @@ bool kasan_check_range(const void *addr, size_t size, bool write, if (unlikely(size == 0)) return true; - if (unlikely(addr + size < addr)) + if (unlikely(add_would_overflow(addr, size))) return !kasan_report(addr, size, write, ret_ip); tag = get_tag((const void *)addr); From patchwork Tue Jan 23 00:27:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E28BC46CD2 for ; Tue, 23 Jan 2024 00:29:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A908A6B0074; Mon, 22 Jan 2024 19:29:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A405E6B0081; Mon, 22 Jan 2024 19:29:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 907BB6B0082; Mon, 22 Jan 2024 19:29:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 7D7FE6B0074 for ; Mon, 22 Jan 2024 19:29:16 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 17D41C0809 for ; Tue, 23 Jan 2024 00:29:16 +0000 (UTC) X-FDA: 81708691512.30.158342C Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by imf11.hostedemail.com (Postfix) with ESMTP id 284864000F for ; Tue, 23 Jan 2024 00:29:13 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=dNnNIlKb; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.171 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705969754; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=; b=aFsDxMojXQB94vBEhe7uivEzsf3aLkDPZlVDUnhWvxJ0qTW1xVGJEG5dfw58bi00JJCeuH yWYS69xQ6cFp2rrekh3qDoKufcYus7/6NxZvP1QKiI/PsMALmF4MGcL2Sor4fGbJB9kSjZ oK0gtk0oOcCdMpbT/MBPrysMS+YHelQ= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=dNnNIlKb; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.171 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705969754; a=rsa-sha256; cv=none; b=ymeYe0COOd4azGxyAgDhRQlfIgnpaZqeH5AgWZLeex8xHW9soPWu3Kmfuik/nFcTj7t72e biLP/8En4FzFZjfvi3e8OOaWx6Y4He+I8XG6Hl+lQQrGmw84/fLWQIlWvTJX/5TAdEhPCD ZJQjZfKi5p9fraZDqZcg3FTSxcGGEck= Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-5cde7afa1d7so1761975a12.1 for ; Mon, 22 Jan 2024 16:29:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969753; x=1706574553; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=; b=dNnNIlKbM8Xe5sfoWrKlZxk7nYgTSZu+Cihc03PMkh6IYttGsBL0Pqwd8O+IGveRVG yisUgcYdzgY9wx0UemaVCNpvpeS0SDZProI8VHak7KVtxLb7nUbyUg26QnoP+KRGn/p4 7eiqIwX3c5XdeIhLvwVTbQx2/w0S8CNQRQOho= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969753; x=1706574553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4kSZcErhkvLURXFhEcykitt7q+k1IsSKXy6VMnrbEx4=; b=bcE1FI+tUcwW5E77RgRYVcgwO9CdZxSenMcLZ3cBdetUlD5lneyelKabJsloCWbVc9 58JcSaTa/RTohXtSpdL3pPQa+zww7QC17kMu8Dy4PNTRTfCLQeWaMVGSL1BgE+wH3KoL k/TGvuB3h2rLy2Q4W+AXAXvzMPy6hcjlI2QFwsYIUZXJk9AC0CXdtVlBu2AJB3LfQl6b BLLVJJs4bRfMcEaowHxCAcdbymcRnlF8YIFMN5zJ3DKQbyAAI7heP1A4j+w1kL+x0lYE xyzTfOhvv/41oCpNEc1J7wRbNyfOAH47NXeYj6qyvjj5RlswnoX+Mt+BZOusE6xnkuwU fpww== X-Gm-Message-State: AOJu0YwdcSeSgtPbxHa9CmWzgldvp/u13d1/gQsDIdESIVX2vbEVHlvp CF90wu+zs1kxTe+rG6azuCmnLaRi6I1gDIok4ddMsY67Bx1TAhxHAwppjbQOjA== X-Google-Smtp-Source: AGHT+IG3RDfq5susdGGtZ5t8hNNXczrgazB2fai6AkFle9yipHha6eOEWBtXrxnRKsK0nSd5aI3KHw== X-Received: by 2002:a17:902:c946:b0:1d7:ad4:7d9 with SMTP id i6-20020a170902c94600b001d70ad407d9mr2794072pla.60.1705969752949; Mon, 22 Jan 2024 16:29:12 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id b4-20020a170902a9c400b001d74b1ef56fsm2652747plr.271.2024.01.22.16.28.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:29:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , "Gustavo A. R. Silva" , Andrew Morton , linux-mm@kvack.org, Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: [PATCH 56/82] usercopy: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:31 -0800 Message-Id: <20240123002814.1396804-56-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1952; i=keescook@chromium.org; h=from:subject; bh=Le2cw8/EMeZDvyWiTZfIKGAqobpbeo1xxbxe1eKIEog=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgJFBcLI030OvWlIdf+JlEl9ZpGqp2xZrVGc OF5/tb3LLKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICQAKCRCJcvTf3G3A JlAfD/4hK8oQxeilJy5M1BswN23KROlrOk+00GSMbycYwZKmxQcAxh0DnW23pgXbeUgj2xRlH7k /F+1z4vu9eaAj8Y/Y9hBh2STz4jydgyEv7WtfzL7Jw1BNKRrtbBNLwAwKJ0huo8jHVSKWwPVexP H0dsQTMPDxMkMaS77DgFrqDnf83+cga/jJS5LHAev1F3Rt7Vzx4KZTVfeW2Dto3dvVvaDA7Mr1W zclIJH/mqpfAZHnTuBX0Lc9+8RKLG4qO+2/IUsGeLKMWwR1WVPmDTM2bkl/aMTUuS9zUOBkJ+kz KOHdKKXC1Rs12cJXs6FaDHdaa14Rs0A4hpkuD5hOdyzaS307IhV5depO3u68Tj2Uik5iOAg0Sd+ mbpV425cNRUyFHClpds5aX3e702vMEC0hgaOLiRwlk5K3u6RQW1N7GluN4un20Sn6BhkHSH4U+N YixLEE2YDQcd7gaZZwk6n5ylkZBndaXc6h2B9qpnebQVrz7cHnXCvjJ523k41Bmm1MZTcW9H7Np ST8joAjzTwXfRq5dJvhigwFDMdUGFtxsZ2soh6RZ/+fTiuyYL+m8B2frhQ33eS/G9AbMn6WFBxK EFYGaKAJmKlp3x8HgzZyfaTqO4BFToZOSpxteo584SQH5dsfYvS3kwiZW/3iIX05kIzLTWTZTqU IgI+hkYy5CRcMww== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 284864000F X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 6asoegfn4bxthmqncbjy81yghztapcob X-HE-Tag: 1705969753-119588 X-HE-Meta: U2FsdGVkX1/6TSY06kW0CrwfX5wRGvZSgLlXOnhyGHgwPQcSrAhEC4Ee2ypl/aKIdHXAQM8YACjD20hZe0xZRtn77VFdha0+8tr3SKcL90iwcTx1nWxudhEYPvEGuxbYh6h7b8mct54UE2Nwm6ubf/x0tRU2IX6FxcvNv8DR0uPbaYbq7MV7CVvsB2C7ZxkMzfpl/mbKZbzZkZlAzfG1aqkvJ0XaNWVtQrRD9nejt+fbh/SVNPoI20j5StOb1VIYPGTg19hkn1bQPrKgLfJuL9AF2as5zMUJFcIvz/jiX4DZ218pPXtuk+bIQAqcmpVWqgKBbaNSYnfM86fDRIesafaY/EsNVmM2+E5859CJ6jXkyAzQX2vmPwKBDXKnnxlRo67JTHVxCDHTHGqIdCCCXsuUFTZa12E9RhCpKVjfivl83GvrBZ8PRZyCZw5isP/WtR3X8043UES4j8PsJcBAwQhfgqLnkSfNY/OmyhiLofRFqPlgmoG7JOA+5aCmwUIOtkKqn5uoP1ZX6F0mS/Vif1aDaYElTSvuLSzV0zYmXZRNcXiafTRgytiw4fFDUr4SaePw1wr0m/Q8cp2TjT5GodvA2WEq9Lu+lw83jO7YjvERJFeqpyvWUEyVWOxRJqhyH8o9qo+HgEIpXUSiIBtGbUDpFSaqBZF1uZgEwbMw0PaDCXROc8F4PMHI0YzQYhP/HvATsh8wYiqbocJ4xA6Oi075S4RPGwHMLwvK1FBXU9VQIi+wLTsFO+TGMIoelY8TRTC4uz+/JluWe4LAOcEDNQniOWvRj8CiPEUhbLbddo0hQQPmRHa9exnGxp72C8oWwX/bh6UEgYnpzovd9jP37TGyZqR8IOIXuB1PL9csFK+QeknAj66QB51C5XrM3+qUod8WwVapnuDbEBepxYT2x+C2nb912ofznxEAIO37ags1nD0yHKqYCFY1IznWCDp7iyXA7yQyJyrJBF/J8zH B742h/re jJBnLbl1veTVOcWTpYd+jJwXeTqzJsnqdn/q+hZ7ym2kwYfqrVry5UwCCTbEM19Ddk1OMrrAdJNdFYtiCFuKBRJ5Bq4e3L0Wv2eOfdTumTtbcaXQGfcRlx3fH7Cs0sHM5F7mcKCsVdDM4w4cFf8hk7lXAvvsGHKBJBUbFuJJ/IM9mPeu4+drwtzSR/HKA2YOE1e6BE05ZBKE3409GC/ur1WnIZ9+tQzVgsi6Xi+AUDiMdGGUpbKvyBeU0BxJEGht33X7pn+62uhAIl2BYIyr9NeEpKjupIxhsv8hgaNGLekpWnuYAVJXvV5UoYVQMjPGuMZ97eFXXsQz0C2Ywc+01t+BLN155h+Vm4I5rMnRRGxKcQrN+T5RceLxqZnKGm6TRoGmaFJk7+Hxc+12/P9bdkVGCZAACCyCl6n69LZ4iR1hHEJO1cihNxY+vqOwVH0/JF4qWEKHGNXy1ZcAZghdluG/O/lK3RMg2PS3UUroN2VJSWFEpA/7v4w+Q6iNYtpTF6S1x9UoQwEmHK4pi1DysdHPq/7SwphYtoBOT7cSe5gOm5RWT9i+VWNY4krMUm2QZqwXbBT3FnnLGJoIe+DsHheQiPNM2LzjnjuKh X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Kees Cook Cc: "Gustavo A. R. Silva" Cc: Andrew Morton Cc: linux-hardening@vger.kernel.org Cc: linux-mm@kvack.org Cc: Gustavo A. R. Silva Signed-off-by: Kees Cook --- mm/usercopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/usercopy.c b/mm/usercopy.c index 83c164aba6e0..5141c4402903 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -151,7 +151,7 @@ static inline void check_bogus_address(const unsigned long ptr, unsigned long n, bool to_user) { /* Reject if object wraps past end of memory. */ - if (ptr + (n - 1) < ptr) + if (add_would_overflow(ptr, (n - 1))) usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n); /* Reject if NULL or ZERO-allocation. */ From patchwork Tue Jan 23 00:27:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D742C47DDB for ; Tue, 23 Jan 2024 00:29:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BF8126B0081; Mon, 22 Jan 2024 19:29:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B7EF66B0082; Mon, 22 Jan 2024 19:29:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 81E1B6B0083; Mon, 22 Jan 2024 19:29:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 6F79E6B0081 for ; Mon, 22 Jan 2024 19:29:19 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 1056C1A03A7 for ; Tue, 23 Jan 2024 00:29:19 +0000 (UTC) X-FDA: 81708691638.17.76AF4D4 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by imf11.hostedemail.com (Postfix) with ESMTP id 23AF340017 for ; Tue, 23 Jan 2024 00:29:16 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=m5E80MaW; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705969757; a=rsa-sha256; cv=none; b=0h3B9KiSHNWscrRtM5gpWAYg26yRNtnpdOChLyj8en6MZ342x9hecfnWyhiFPn1QBLK+Ab 1L8+gg3jarCJN+oPXPsTQdhaVlf/p4vxwP2+BVqgBIgeiM8WHu1K6wx9bMRRNPzBXBi4v4 KHFP4AQIrMkCr5aN4F8CpeWekRRsH+M= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=m5E80MaW; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705969757; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=; b=GtwutbY3VKUn0huTz6APFeXi2aESShSwsESU0buo8QqpknM7dIXLCGsPbZYEB4wF8kB+s/ 8K/MaSxe3C564oWugpyuVUq2HDzDQYGUim8VWY5eKcs0gbWQFITd+ZcieOGgdCHQaRQUqZ UeXbf6GRbPnRfD6XjOR96UqyokGlIC8= Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-5d3912c9a83so2643a12.3 for ; Mon, 22 Jan 2024 16:29:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705969756; x=1706574556; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=; b=m5E80MaW+W6GOtp/ivZuB9cZX0BRjYE1WtT8Z6bqD0P+AdvlDpEwZqfWuELCRrEaQ6 6bad4zDUaWO5ydJZoJNjryHT1I02BZdx5cGobSI04mbsVDT3bS/+UGazCIzRDYWMdfE6 /BbNrYlTI4vy9ylIhD5tfUjwJ/1bJk0FCzdoo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705969756; x=1706574556; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4R+UH41sqIFBEg2yHgSz9fASiwRmxO8UrEbFS39w0BY=; b=KNiQWPMw5JkqHOq5ZuszbjXeWc0KpFvqPYbqqbeK2WYFIaRVNHD3IF+JlQsELMuAhh NRLNjrBs5Pszznc0MfGuDpJ4mA5V9k5omDcojN5TAs217eePGBLnK82nkE+ayLJ18IhH 6FyBviS7fb0Afp3APQhE8O/3Oe76ZXP01jCujt6PNZC/3eulje91XXFLpQJZxjyLqWF7 QNwAxeeQ+wwLAa8zw2ZOa/DaUUGQnWPlAs3He+HUqj30iuWk7AuB333fbOBhsk4lPATp qHMiqXzqOBuDV727q2XRxK/thBYTxoMBaTIU2lBbhbzGDfRfEcDYs0Tba+nwX8H9KhYp 8MhA== X-Gm-Message-State: AOJu0Yy+iufmB1OPAnjBnRtk0/TGWFxyCscntjfM4dlqsJ3GXNNLQxtb giMPR1lppvvHQ5kslhh1agJVnPECAhBv/Hn2PDdVGPeAG2OZW9Ku+5jPmcmLGw== X-Google-Smtp-Source: AGHT+IEOQPxBrxeTVknuQ85iWItECd3oDMC0wKeLvQMG9XfT1svGRvJdDWYE3hUC2zG+qCIX3weiSw== X-Received: by 2002:a05:6a20:1446:b0:19c:5821:1d6b with SMTP id a6-20020a056a20144600b0019c58211d6bmr373911pzi.71.1705969756091; Mon, 22 Jan 2024 16:29:16 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id s2-20020a17090302c200b001d707987ce3sm7513949plk.194.2024.01.22.16.29.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 16:29:08 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , Andrew Morton , Shuah Khan , linux-mm@kvack.org, linux-kselftest@vger.kernel.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: [PATCH 63/82] mm: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:38 -0800 Message-Id: <20240123002814.1396804-63-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4403; i=keescook@chromium.org; h=from:subject; bh=IXC9gHJS+Pnry0+OD6RifuKC5iruziQtcHdroYUu0NY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgKGl7sIklkp9DpywnYDLBMy17rUJMlBDpuZ IF1ZnQBhjmJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8ICgAKCRCJcvTf3G3A JiG2D/9PRn4Y/k1W4IyELDW0vMaP8RPiiJfMCcL4ThXwWsfGmaqGLqfV1zQEvJXDHSGEjV3qA6f 1QWoI9IwuKjfA6OfO0JlksQZDvV/d4C1mTWzdQrRY2/LthSJBzsCK5VbReL0TpTAcFMajuY0JUk y79Nm7lQVGIPVT5kz9GE4HegEGGPsCk202fOQjGOid1P2FXfyctaxE7AC8A1oTmzBr7B6go6pES ZTzR/Z2fyNRTV4EbHBr9C3U447jLgO+uGVXj5FYunn/XaHZoFkbicu5CWTluotmM8My6vrUQc+R OVe3VQn2KHnuQsPPgENWLrMitHmaACD3nc3KGOQ5Nq6c9iVKKDGGSDopVfAm0cnC4JZNZssedWq QpeBszRZxgPbM6k0GMuCe73qgQg1GJuz4XqNNsDbrPNFJfH5ZXInUZt7+xx3wQ05371PA60Z8t0 tmCrWOgNSP9F1389si16h87Pzo/PvgvSF70Hbml6OUR4kU8xvA5OMHvggCQlwJG4zIykjLq9Ggu inHAl1IReCphEG4kev2pugmVlUlmGGkFAeg2uA4m/PbIKGl61suJep0mr5S3biRpHUZh/FVpWS0 dBLSKvx/lkw1jpHcmaLhj8srWr/oF+71hPZ7pLlb7R43ZReS0qw78SWDbOAttKIb6nPhBw9l//1 jTPSgii2rrZymlQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 23AF340017 X-Stat-Signature: tm9xgti59k18st5jfp6tnx13sejrjzgn X-HE-Tag: 1705969756-337718 X-HE-Meta: U2FsdGVkX1/KBzu5cq9saBE3WmTUFpeB6zkAbaz53ob9hAcmHvxVtylF+Etfp1UAyL3fTxDNUPWdpUEqc8ZzKiriv7TPd7AHTa04oGEHrxPk7kfMQamJjlKPKzURAD/4ibw5rtvG2Sr+lWgCugcLM0ijlbYExTw4/tHpaqhPxkTMJeqV4bytgxjSlGm/g+1+cqhYrujmrJKEwB8aBKOi3XfdgEmTaLHfGAdvIO0NbyBaVM8LPtFPgBZODqH7yKDZqeFT+01VS/P7XB+CzVVaOPXxG5nyvLiTUMKRlNfU1IunwaG5p+Wp/Mhi4E6sPthCt2/jetGl8koW4QpGLroodeyEJlIXg531SAi8VLWctWs74ZMLF00fX2O6w74x5ex0+eqJw/xuKEypbCaJzzPVEFmG5LOVPLRxDdyvlp+TRNwigZkahBB+WCPJ0iwdE/ema+Iq1rYBBB9t6LnIAfMVGa1HnziEK7DlKz2ycDDYIjpjwuNb2LYd+FtW3JBCrE139jixDbILcCQeynruij2nHFUViw2bSNN5lHyrmJMNdq0rmIsQRY0u+ItNrEdhRvZ/pbQqx1FQCG8EJ/bXBV9JXeQvO4lc0PGokSPx808pOWujCwwug+/IPy6+Vgc3wV1j88DNXk9AXP7FCJrb+rdVpdxzSX66EQhtzybnhGYwCUusj0ONRRgwnfGM2vrvqMeOFedv/zwDCzmtTuto2QGXuyWQ8xIWOH9oSCMmDk3ADWm1dAYJvFI9DK5Tvntz69cqSaJX+7xSU7VN19UoDuiFI0k8bYoFzg4uCK4okFy/7axxQ9lKBu2oczOhZj6F8lpeqWOIt93fCfQaUk9Aslye5SJW46qJokTHR4jLzxKJthh2SW9DcJT9G1Opls1o8ajmrWSEF+PpRKz7cO3dGO4gVbfoKUAQnKk0g8H7xWsg/75WZd1ZeptpzFeLHQ8iD1f1heoqHD8vKoqr+Fem9FF kinG4Q/d sjU0R0hmEJMbBaXhjYybrjNnObkgTmfR34MilxlEK4EmMqE+PAUCQEFDfvutznDPNJArirmCXA39u7XmdLw5/bS19EDRVU/xi8x2qp5A5WVZdcxOHUMIqIW3vaJttfe80eXApbJ6ISknlJvdOKCGU0otGI4q5hBI2cPw4RbbREnXVX4frJ8g2HN0pIxidzcaclc1rNAOV/4N5R/wI6wzZYl+ToXELf8UBMD/OqaCgDL4Nv3NRwLDEdapNNt3OnYcUBu4r3xwslE8CHXAfrfP8onnKg1JIIw0Ral/KHrhL2PeXmlEhI2YGKlIb1btIXZuJjd2br2jAhJlpEExS6jBomuLrQpAYR8q0J3z7my+ByXYlivVOTkuFemnh0f9iFDXJcSa9rGmVF9ClDrjyEvCFwx6ZvOyxudELezpRIxtV7qQ0oJALCCGAeBEgQhtx+kh39rOKaFKZ/z5Y7EMtGHZTAp4ZhcWck4QHk5JTFsfXlO7t52+vyeW3OuZIlIcfPMUXWfxsyk+YbuXfawjQrDzQ3QhPgxyxyXdHBoRT6Jcs6vWw1YbH193gk4B/SIiJekWlTX5H16QIDJpQTvIUU+3OS2wZDP9eivSKlIHY X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Andrew Morton Cc: Shuah Khan Cc: linux-mm@kvack.org Cc: linux-kselftest@vger.kernel.org Signed-off-by: Kees Cook --- mm/memory.c | 4 ++-- mm/mmap.c | 2 +- mm/mremap.c | 2 +- mm/nommu.c | 4 ++-- mm/util.c | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 7e1f4849463a..d47acdff7af3 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2559,7 +2559,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long unsigned long vm_len, pfn, pages; /* Check that the physical memory area passed in looks valid */ - if (start + len < start) + if (add_would_overflow(start, len)) return -EINVAL; /* * You *really* shouldn't map things that aren't page-aligned, @@ -2569,7 +2569,7 @@ int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long len += start & ~PAGE_MASK; pfn = start >> PAGE_SHIFT; pages = (len + ~PAGE_MASK) >> PAGE_SHIFT; - if (pfn + pages < pfn) + if (add_would_overflow(pfn, pages)) return -EINVAL; /* We start the mapping 'vm_pgoff' pages into the area */ diff --git a/mm/mmap.c b/mm/mmap.c index b78e83d351d2..16501fcaf511 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3023,7 +3023,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, return ret; /* Does pgoff wrap? */ - if (pgoff + (size >> PAGE_SHIFT) < pgoff) + if (add_would_overflow(pgoff, (size >> PAGE_SHIFT))) return ret; if (mmap_write_lock_killable(mm)) diff --git a/mm/mremap.c b/mm/mremap.c index 38d98465f3d8..efa27019a05d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -848,7 +848,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, /* Need to be careful about a growing mapping */ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT; pgoff += vma->vm_pgoff; - if (pgoff + (new_len >> PAGE_SHIFT) < pgoff) + if (add_would_overflow(pgoff, (new_len >> PAGE_SHIFT))) return ERR_PTR(-EINVAL); if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) diff --git a/mm/nommu.c b/mm/nommu.c index b6dc558d3144..299bcfe19eed 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -202,7 +202,7 @@ EXPORT_SYMBOL(vmalloc_to_pfn); long vread_iter(struct iov_iter *iter, const char *addr, size_t count) { /* Don't allow overflow */ - if ((unsigned long) addr + count < count) + if (add_would_overflow(count, (unsigned long)addr)) count = -(unsigned long) addr; return copy_to_iter(addr, count, iter); @@ -1705,7 +1705,7 @@ int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, in { struct mm_struct *mm; - if (addr + len < addr) + if (add_would_overflow(addr, len)) return 0; mm = get_task_mm(tsk); diff --git a/mm/util.c b/mm/util.c index 5a6a9802583b..e6beeb23b48b 100644 --- a/mm/util.c +++ b/mm/util.c @@ -567,7 +567,7 @@ unsigned long vm_mmap(struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long offset) { - if (unlikely(offset + PAGE_ALIGN(len) < offset)) + if (unlikely(add_would_overflow(offset, PAGE_ALIGN(len)))) return -EINVAL; if (unlikely(offset_in_page(offset))) return -EINVAL; From patchwork Tue Jan 23 00:27:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13526753 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93022C46CD2 for ; Tue, 23 Jan 2024 01:03:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E363B6B0085; Mon, 22 Jan 2024 20:03:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DE6976B0087; Mon, 22 Jan 2024 20:03:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CAE1C6B0089; Mon, 22 Jan 2024 20:03:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id BC2866B0085 for ; Mon, 22 Jan 2024 20:03:43 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 59E8FC05AC for ; Tue, 23 Jan 2024 01:03:43 +0000 (UTC) X-FDA: 81708778326.26.AE1B5F2 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by imf16.hostedemail.com (Postfix) with ESMTP id 8A23A180002 for ; Tue, 23 Jan 2024 01:03:41 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=V7gcEPo2; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.173 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705971821; a=rsa-sha256; cv=none; b=YciNtDGaO1/RF+tKSNEHigzVjNn48UfSJvr0PHDIl03FsYlvr8QQNhdA7761sh8w1pfcwm 6rV8e+mKk7leKm33Dp2chkMItFqy3yh9Bsj1L2t9DsMihMaJzdoATfu/NT+68LeHgFwqQV SBVqu/dM0W473hhNrckgHe3rpxg7sFY= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=V7gcEPo2; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.173 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705971821; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=; b=l9zUpJ1JSordjkv1Tge5oRa6HYxPRJ0SVMzQIYQT+t4920kF1Kksk4ETxmXNAWDKQSW5i7 AAAdn19B4ciM1vqiLILS8fY2GLlaBM7JStLj5FPQL805umcolBdHSIWEN957T5lFqCUGEG h+joB+55fsbgvIW4QakMwA8irn+YpWI= Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-517ab9a4a13so2973995a12.1 for ; Mon, 22 Jan 2024 17:03:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705971820; x=1706576620; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=; b=V7gcEPo27ghGizkexJ1V9jnN16Hx8tKSoqWeLJtZrl3q0/8Jb8rLDjP4Q8qKyFfbtX p+vjPiSnd9+xZjy03/+c5j8gV1UqkfonFjEEYwIFferEV1J5H4GINPiP0x+X0CoyBC1h 8DtYhHqTJWpT+R0koMAGo86nq+Cpx5hTdLrdg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705971820; x=1706576620; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xnep1Nz3UUWk+A97sey3opJKdGJPhXQxINirZ47tsts=; b=GRrI5/u0dMrC1hygcjNvB9C4HgPFC25hXa6UpdrxA0/SqYdPpqhDDe7I5DCXFOrn5J tw8niQddPzZK5MLtCmD1xzfkOqBN4J7rnpC9YPmk4jN6YqowpyPInEQD7HB3tF9FEmSB WQScZ3oRqpIvmxS9FKAyJzvinF6OEtmyTy+rfBrWkML0C8+WQhtz7CWch02ltGIOoi9T urcKyIX+H3U3xrn6/BT/2Y5lcEIqx3Yspptv2DSwsCWhew/Q9q6Ea/lLya4zh50QTj2D zgHw6rltzDWvM/yRpJznFQ9ZntCTboCKe0l4H6NTpBL/7OPVumpn23Bj/oEWBZPjT5CC aXiQ== X-Gm-Message-State: AOJu0YwUB/aIQfOFQUTNhnmzvUZxO3dpLWnVVYyUCyEnrG1Dl7TBX4wE GdHbL3jZ+FBKzZ2sOSNUu2R1h+jmC1u98a4fawzNp6KzxQZdximgfr839AAfqQ== X-Google-Smtp-Source: AGHT+IHtDT1yrq6PLJdBjifV6sVndraNqQcRTaZ6r3kszvNUHhuC9VOVEAQ7fl/+G79Q0TkuxmIxEQ== X-Received: by 2002:a17:90a:bb85:b0:290:2f93:610 with SMTP id v5-20020a17090abb8500b002902f930610mr2563687pjr.43.1705971820287; Mon, 22 Jan 2024 17:03:40 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id m1-20020a17090b068100b0028d53043053sm10363069pjz.50.2024.01.22.17.03.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 17:03:38 -0800 (PST) From: Kees Cook To: linux-hardening@vger.kernel.org Cc: Kees Cook , Andrew Morton , Uladzislau Rezki , Christoph Hellwig , Lorenzo Stoakes , linux-mm@kvack.org, "Gustavo A. R. Silva" , Bill Wendling , Justin Stitt , linux-kernel@vger.kernel.org Subject: [PATCH 78/82] mm/vmalloc: Refactor intentional wrap-around test Date: Mon, 22 Jan 2024 16:27:53 -0800 Message-Id: <20240123002814.1396804-78-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122235208.work.748-kees@kernel.org> References: <20240122235208.work.748-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1848; i=keescook@chromium.org; h=from:subject; bh=nJ/Dbne7d4x17jpkuEGwBkY4HOJHaHOZVri7BDLojVU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlrwgMYqbiC9CfEEv7H4hKDed0Ckaf1Z1VbaYnE qoWkPaOgCiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZa8IDAAKCRCJcvTf3G3A JoAFEACV8xbsMUxa2NDUN1xXMDrXI740/x4qynm76Y5yHDXd8g4dDNlV6TgPgaKrMcZxegbZ2QU R5cRYG/J7JglC10FqOIhwD6AtUxi84C/xDwgUdTjMekuyQtf8oDx7YLLgAKw8bq0t4X3rpW6CvQ 789Dm5r/bO09y037XiiADu+c0Kfca0kz4l4hsD3wqzySP4Ha6OvsDs8CBNbY6tRlGGUthfub7II tb1WtKY1ZinjdC4ghifbgFhlRrCOgj7biFA8ou8CciPsdg7rnA7965zlYbuVFdMDC7AsDA5W/0t iCmgY4z2UsX2FErJx60tBeyjU5boRyhss2AYcsWP/7W0bNE3DeDbwIi91im5pXaPnnnh++xW9ie viskQzEHVGCp9fzX5vKIf8jWzSJ7kshlSMNsQ0O4SzwcFPvVJk/escQgdR6K+1QBoVAorEWDOhx EsxeHB0NO1Ze8mw6jGQTqe83Ccv2wJrRp3YX2kRVqeK/+4OnQ/uXFWUnnKJD4RNds5YD7tAxgIQ 3J2yAO+sh6kXYGC+2QQd0JG9eMTxuQbNeW3l6pbJpV4Ar0Hkhq3u7dOEqgZrnciBM9n0pEUPmza VmlL1fSQYFD2oTO8q5g9EePyBH83lEZSENHLTs6nrCpzpCdeFQQTfsTySvMG6AFuxAd+iNZc0Q8 3j9NIiBzvjukfKw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 8A23A180002 X-Stat-Signature: muky1qsa9hfe7sadfw7szfmd9nxwbdpc X-Rspam-User: X-HE-Tag: 1705971821-312632 X-HE-Meta: U2FsdGVkX18v0+rfJsXo3ae8+RSZ3ocK7gU3d09YnFoOGl5NwjBrrLqYvU6Zbu31ZT2NRRGu4oPf9W6+60Eb9vIEwbP1WnUfeqC+kzIZLo29/GatK+mHEyFsckqLb4t9lO1hvAR9EQC2VPUJr5LYJOUl9P1cIx5lwInOwJsypPjfwbDiY4ZnZks3UI3MTTf8IPeq3VW2nNWZwgMsZjPbFVo1FIYRdoiY8k6LmoLy9tlChss9J3i9B9+4T9DoGbamnyibim2tl4cqnuwt++XLoYihDYt0C7wX1moEYssX7IhHx4nIYxwElIYuZSbXsOAxBZ5cDN0aRHu6N/mL0/DFz+6uZeh1CBIbJ5vZ7os63CRlkujwOmliGUKKMGE708D/nQVfc7lSZsEIPRJk7uovIvx/CrdayFVY+vfxIn26I8icOTGwnu4LeSDHZYet5V+ARCeMv8BOGiyI5y3riwzg6g7I1HonML4QfLLwebZekiboN9p9lQMy0f8ewBPgqkNUQwQK3zh1DXmOfclcoVhCQd+07I8dvjOWlBTZEwsqe2QHqF36ExBMvIXgTojLO9ksf3bHFInVhnMdviCKHIG/AwpIYhMU6r089aoB9ORmJ7qViSEGlS91ESMCo0fkCyJJ9GKUZxTZ+DFuVAFIIOSv0QZsExisSruX03G6PWi/tbHVmIMqA7ptI9ecmrqSm3lCMGvJ06jn6W4EXSLt4vLFgKVNcGYJNdSlInxzQYYr2SHRCrK+v3K9idVjuuBphkla7jvuWIbitJRT52yAgkjkchE7xein3GEr90xI7T0NV2USJnXrENi4SwYKhvxctG0dT5j23ke1HAx/JTHiKcGFmgV6EdUxo83/A1DLk2oZpexSVg5dlCqoPTPO2T7/6Wbat2hG1z7j+zLRU2ioqd2oS4KVdC6Pk4HDEopB27y2t7WyOZgdLkT/bCzLunj8PT32UsJaMnQ5MEhImYqQuBT wziuHwSB LDGXyQY0U19HwV5k1V11y2sRyPTszuMF8R9Xz+20IaX9blcYUXfzbeXSRMUmmRyS1deS3+hQKSuKfpNPqatTVFLxa8sApOQvIRD9+LwZ6jUJOxB0X0nlj4DP18A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In an effort to separate intentional arithmetic wrap-around from unexpected wrap-around, we need to refactor places that depend on this kind of math. One of the most common code patterns of this is: VAR + value < VAR Notably, this is considered "undefined behavior" for signed and pointer types, which the kernel works around by using the -fno-strict-overflow option in the build[1] (which used to just be -fwrapv). Regardless, we want to get the kernel source to the position where we can meaningfully instrument arithmetic wrap-around conditions and catch them when they are unexpected, regardless of whether they are signed[2], unsigned[3], or pointer[4] types. Refactor open-coded wrap-around addition test to use add_would_overflow(). This paves the way to enabling the wrap-around sanitizers in the future. Link: https://git.kernel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Andrew Morton Cc: Uladzislau Rezki Cc: Christoph Hellwig Cc: Lorenzo Stoakes Cc: linux-mm@kvack.org Signed-off-by: Kees Cook Reviewed-by: Lorenzo Stoakes --- mm/vmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 7932ac99e9d3..3d73f2ac6957 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3750,7 +3750,7 @@ long vread_iter(struct iov_iter *iter, const char *addr, size_t count) addr = kasan_reset_tag(addr); /* Don't allow overflow */ - if ((unsigned long) addr + count < count) + if (add_would_overflow(count, (unsigned long)addr)) count = -(unsigned long) addr; remains = count;